From owner-freebsd-security@freebsd.org  Tue Dec 12 19:13:15 2017
Return-Path: <owner-freebsd-security@freebsd.org>
Delivered-To: freebsd-security@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 01335E80A41
 for <freebsd-security@mailman.ysv.freebsd.org>;
 Tue, 12 Dec 2017 19:13:15 +0000 (UTC)
 (envelope-from michelle@sorbs.net)
Received: from hades.sorbs.net (hades.sorbs.net [72.12.213.40])
 by mx1.freebsd.org (Postfix) with ESMTP id D10636CC52
 for <freebsd-security@freebsd.org>; Tue, 12 Dec 2017 19:13:14 +0000 (UTC)
 (envelope-from michelle@sorbs.net)
MIME-version: 1.0
Content-transfer-encoding: 8BIT
Content-type: text/plain; charset=UTF-8; format=flowed
Received: from typhoon.sorbs.net
 (203-206-128-220.perm.iinet.net.au [203.206.128.220])
 by hades.sorbs.net (Oracle Communications Messaging Server 7.0.5.29.0 64bit
 (built Jul  9 2013)) with ESMTPSA id <0P0V00LKT4FSDT00@hades.sorbs.net> for
 freebsd-security@freebsd.org; Tue, 12 Dec 2017 11:21:49 -0800 (PST)
Subject: Re: http subversion URLs should be discontinued in favor of https URLs
To: =?UTF-8?Q?Dag-Erling_Sm=c3=b8rgrav?= <des@des.no>
Cc: Yuri <yuri@rawbw.com>, Igor Mozolevsky <mozolevsky@gmail.com>,
 freebsd security <freebsd-security@freebsd.org>
References: <97f76231-dace-10c4-cab2-08e5e0d792b5@rawbw.com>
 <8788fb0d-4ee9-968a-1e33-e3bd84ffb892@heuristicsystems.com.au>
 <20171205220849.GH9701@gmail.com> <20171205231845.5028d01d@gumby.homeunix.com>
 <CADWvR2gVn8H5h6LYB5ddwUHYwDtiLCuYndsXhJywi7Q9vNsYvw@mail.gmail.com>
 <20171210173222.GF5901@funkthat.com>
 <CADWvR2iGQOtcU=FnU-fNsso2eLCCQn=swnOLoqws+33V8VzX1Q@mail.gmail.com>
 <5c810101-9092-7665-d623-275c15d4612b@rawbw.com>
 <CADWvR2j_LLEPKnSynRRmP4LG3mypdkNitwg+7vSh=iuJ=JU09Q@mail.gmail.com>
 <fd888f6b-bf16-f029-06d3-9a9b754dc676@rawbw.com>
 <CADWvR2jnxVwXmTA9XpZhGYnCAhFVifqqx2MvYeSeHmYEybaNnA@mail.gmail.com>
 <19bd6d57-4fa6-24d4-6262-37e1487d7ed6@rawbw.com>
 <CADWvR2gkFGY8CH5L7N67z8mfOux=Vjv8eobpK=pOpCKW3ysAkA@mail.gmail.com>
 <913910fb-723b-e450-8f02-4c26b3c15287@rawbw.com>
 <CADWvR2hR2-DPayNVOUvTxMQ=tj7YpotVzKFHGQFPoC5ZGDvnNA@mail.gmail.com>
 <898df78d-c0b1-9e9f-0630-2665c3939960@rawbw.com> <5A2DB9F8.1040301@sorbs.net>
 <86h8swgnwk.fsf@desk.des.no>
From: Michelle Sullivan <michelle@sorbs.net>
Message-id: <5A3029AC.8040203@sorbs.net>
Date: Wed, 13 Dec 2017 06:10:36 +1100
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:43.0)
 Gecko/20100101 Firefox/43.0 SeaMonkey/2.40
In-reply-to: <86h8swgnwk.fsf@desk.des.no>
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.25
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Dec 2017 19:13:15 -0000

Dag-Erling Smørgrav wrote:
> Michelle Sullivan <michelle@sorbs.net> writes:
>> User gets an email saying his banking details are compromised, and to
>> update them now.  User clicks the link and gives banking details to
>> phishing site as well as having a keylogger and rootkit installed
>> during the process.  User has bank account hacked.  Where did the bank
>> go wrong?
> Banks and financial institutions have whole teams working 24/7

Not out side of Europe (and those that do are not large.)

> , usually
> in cooperation with national authorities, to detect, investigate and
> shut down phishing campaigns, and to warn customers (either directly or
> through mass media) of particularly large or well-executed campaigns.

No.
> In the EU and EEA, banks are liable for losses in excess of €150 unless
> the customer acted “with intent or gross negligence”, but the definition
> of “gross negligence” is fluid.  Legal precedent in Norway is to hold
> the customer liable only if the email was “an obvious forgery”, for some
> definition of “obvious”.
Maybe that will change stuff.

> TL;DR: yes, banks are held liable for losses attributable to phishing.

No, and I can tell you I had a discussion with some un-named bank (but 
very well known, very very very well known) online security managers and 
I said to them, hold the users responsible for 419 type spams.  The 
response was a resounding 'no', and not because of regulation, but 
purely because they were worried about losing market share to other 
banks through bad publicity!
>
> Source: I do this for a living (although not at a bank).
>
> DES

So do I, have been in the business I am since 2000, and a lot of what I 
do and who for I can't even mention.  What I can tell you is I built 
SORBS, I still run SORBS and I still work closely with LEOs and Banks 
(amongst others) dealing with online security for the company that now 
owns SORBS.

This is getting way off-topic though.  The topic is about forcing the 
use of https over http in the name of 'securing' an inherently insecure 
and compromised network, in the name of privacy for a couple of people.  
Wrong solution, for the wrong reasons, svn over https is already 
available those people that believe it gives security should use it and 
get out of other peoples business.  If they really want to make an 
impact on the perceived problem they should target the malicious actors 
and the use of Tor as a pseudo secure platform (ie the few that would 
use http over Tor for downloading source that don't know the dangers 
should probably learn or not use Tor in the first place!)

Regards,

Michelle